Syn ACK win=0
Is it abnormal to received a syn, ack of win=0 ?
I see it from time to time but somebody is worried because they send a tcp ack and tcp zero probe malformed after a syn ack win=0. See shared link below
Is it abnormal to received a syn, ack of win=0 ?
I see it from time to time but somebody is worried because they send a tcp ack and tcp zero probe malformed after a syn ack win=0. See shared link below
It's uncommon, but it happens. Normally, a system should advertise a window size of a couple of segments (n times MSS), but in some situations I saw devices return 0 in the SYN/ACK. Usually for printers which accept the connection but want to delay having to receive print data because they need to "wake up" first (e.g. spinning and heating up all the mechanical parts required to print).
So I wouldn't say it's something that is critical, but maybe that device sending the Win 0 should be on your "soon to be replaced" list (if possible - some hospitals have those old needle printers they still need to use).
That should be when you get a tcp windowZeroWindow not a tcp of window size = 0 that not the same thing. Source is sending ZeroWindows probe even If the destination has not sent tcp WindowZero. That is the issue, further more the source packet is malformed or corrupted , not a good sign.
Check out the source network.
A device sending Win 0 is indicating that its TCP receive buffer is full and it needs the other party to wait. Generally this isn't a big problem as the 2 parties can sort things out. BUT in your case those Probes that follow make it look like the one side is waiting for quite a while; I can't quite see the times but it looks like 5+ seconds. Is this impacting users in any way?
I agree with Jasper above that as long as this is something like a printer and the Win0 only happens when something like initial bootup and you don't see any related user impact, you can probably ignore these. If however this is happening regularly on a client workstation or worse a server, I would definitely look into the TCP receive buffer and resources.
BW
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2018-01-22 20:08:28 +0000
Seen: 4,959 times
Last updated: Feb 09 '18
That should be when you get a tcp windowZeroWindow not a tcp of window size = 0 that not the same thing. Source is sending ZeroWindows probe even If the destination has not sent tcp WindowZero. That is the issue, further more the source packet is malformed or corrupted , not a good sign.
Check out the source network.